Remove pingable hosts

author: David Lönnhager <david.l@mullvad.net> 2021-05-18 13:42:38 +0200
committer: David Lönnhager <david.l@mullvad.net> 2021-06-07 11:17:16 +0200
commit: ef117bb95bac58838c1d063afcc83d53f7577fa6 (patch)
tree: 0536717236c4a0d8e07a3eafde4139a3c4e51db8 /windows
parent: 7c6b8b514e428f29dcf27483597e39e48402516f (diff)
download: mullvadvpn-ef117bb95bac58838c1d063afcc83d53f7577fa6.tar.xz
mullvadvpn-ef117bb95bac58838c1d063afcc83d53f7577fa6.zip
9 files changed, 1 insertions, 254 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index d89437d699..6f2667c429 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -13,7 +13,6 @@
 #include "rules/baseline/permitloopback.h"
 #include "rules/baseline/permitvpntunnel.h"
 #include "rules/baseline/permitvpntunnelservice.h"
-#include "rules/baseline/permitping.h"
 #include "rules/baseline/permitdns.h"
 #include "rules/baseline/permitendpoint.h"
 #include "rules/dns/blockall.h"
@@ -179,7 +178,6 @@ bool FwContext::applyPolicyConnecting
 	const WinFwEndpoint &relay,
 	const std::wstring &relayClient,
 	const std::optional<std::wstring> &tunnelInterfaceAlias,
-	const std::optional<PingableHosts> &pingableHosts,
 	const std::optional<WinFwEndpoint> &allowedEndpoint
 )
 {
@@ -205,19 +203,6 @@ bool FwContext::applyPolicyConnecting
 		));
 	}
 
-	//
-	// Permit pinging the gateway inside the tunnel.
-	//
-	if (pingableHosts.has_value())
-	{
-		const auto &ph = pingableHosts.value();
-
-		ruleset.emplace_back(std::make_unique<baseline::PermitPing>(
-			ph.tunnelInterfaceAlias,
-			ph.hosts
-		));
-	}
-
 	const auto status = applyRuleset(ruleset);
 
 	if (status)
diff --git a/windows/winfw/src/winfw/fwcontext.h b/windows/winfw/src/winfw/fwcontext.h
index cff3e3c823..a3b23f2c8b 100644
--- a/windows/winfw/src/winfw/fwcontext.h
+++ b/windows/winfw/src/winfw/fwcontext.h
@@ -24,19 +24,12 @@ public:
 		const std::optional<WinFwEndpoint> &allowedEndpoint
 	);
 
-	struct PingableHosts
-	{
-		std::optional<std::wstring> tunnelInterfaceAlias;
-		std::vector<wfp::IpAddress> hosts;
-	};
-
 	bool applyPolicyConnecting
 	(
 		const WinFwSettings &settings,
 		const WinFwEndpoint &relay,
 		const std::wstring &relayClient,
 		const std::optional<std::wstring> &tunnelInterfaceAlias,
-		const std::optional<PingableHosts> &pingableHosts,
 		const std::optional<WinFwEndpoint> &allowedEndpoint
 	);
 
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index 417b157f82..f5693d7751 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -137,8 +137,6 @@ MullvadGuids::DetailedIdentityRegistry MullvadGuids::DetailedRegistry(IdentityQu
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Outbound_Router_Solicitation()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Inbound_Router_Advertisement()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Inbound_Redirect()));
-	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitPing_Outbound_Icmpv4()));
-	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitPing_Outbound_Icmpv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitDns_Outbound_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitDns_Outbound_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_BlockAll_Outbound_Ipv4()));
@@ -757,34 +755,6 @@ const GUID &MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Redirect()
 }
 
 //static
-const GUID &MullvadGuids::Filter_Baseline_PermitPing_Outbound_Icmpv4()
-{
-	static const GUID g =
-	{
-		0x2ecf7ff7,
-		0xc951,
-		0x4056,
-		{ 0xb0, 0xf7, 0x40, 0xa4, 0x5c, 0x7e, 0xb4, 0xc2 }
-	};
-
-	return g;
-}
-
-//static
-const GUID &MullvadGuids::Filter_Baseline_PermitPing_Outbound_Icmpv6()
-{
-	static const GUID g =
-	{
-		0x3deb8cab,
-		0x1edb,
-		0x4aa1,
-		{ 0xb2, 0x73, 0xec, 0x61, 0x4f, 0x50, 0xdc, 0x13 }
-	};
-
-	return g;
-}
-
-//static
 const GUID &MullvadGuids::Filter_Baseline_PermitDns_Outbound_Ipv4()
 {
 	static const GUID g =
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index 7f00863811..f8b9fbb770 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -81,9 +81,6 @@ public:
 	static const GUID &Filter_Baseline_PermitNdp_Inbound_Router_Advertisement();
 	static const GUID &Filter_Baseline_PermitNdp_Inbound_Redirect();
 
-	static const GUID &Filter_Baseline_PermitPing_Outbound_Icmpv4();
-	static const GUID &Filter_Baseline_PermitPing_Outbound_Icmpv6();
-
 	static const GUID &Filter_Baseline_PermitDns_Outbound_Ipv4();
 	static const GUID &Filter_Baseline_PermitDns_Outbound_Ipv6();
 
diff --git a/windows/winfw/src/winfw/rules/baseline/permitping.cpp b/windows/winfw/src/winfw/rules/baseline/permitping.cpp
deleted file mode 100644
index d8849590eb..0000000000
--- a/windows/winfw/src/winfw/rules/baseline/permitping.cpp
+++ /dev/null
@@ -1,118 +0,0 @@
-#include "stdafx.h"
-#include "permitping.h"
-#include <winfw/mullvadguids.h>
-#include <winfw/rules/shared.h>
-#include <libwfp/filterbuilder.h>
-#include <libwfp/conditionbuilder.h>
-#include <libwfp/conditions/conditionip.h>
-#include <libwfp/conditions/conditioninterface.h>
-#include <libwfp/conditions/conditionprotocol.h>
-#include <libcommon/error.h>
-
-using namespace wfp::conditions;
-
-namespace rules::baseline
-{
-
-PermitPing::PermitPing
-(
-	std::optional<std::wstring> interfaceAlias,
-	const std::vector<wfp::IpAddress> &hosts
-)
-	: m_interfaceAlias(std::move(interfaceAlias))
-{
-	SplitAddresses(hosts, m_hostsIpv4, m_hostsIpv6);
-}
-
-bool PermitPing::apply(IObjectInstaller &objectInstaller)
-{
-	if (false == m_hostsIpv4.empty())
-	{
-		if (false == applyIcmpv4(objectInstaller))
-		{
-			return false;
-		}
-	}
-
-	if (false == m_hostsIpv6.empty())
-	{
-		if (false == applyIcmpv6(objectInstaller))
-		{
-			return false;
-		}
-	}
-
-	return true;
-}
-
-bool PermitPing::applyIcmpv4(IObjectInstaller &objectInstaller) const
-{
-	wfp::FilterBuilder filterBuilder;
-
-	//
-	// #1 Permit outbound ICMPv4 to %host% on %interface%.
-	//
-
-	filterBuilder
-		.key(MullvadGuids::Filter_Baseline_PermitPing_Outbound_Icmpv4())
-		.name(L"Permit outbound ICMP to specific host (ICMPv4)")
-		.description(L"This filter is part of a rule that permits ping")
-		.provider(MullvadGuids::Provider())
-		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-		.sublayer(MullvadGuids::SublayerBaseline())
-		.weight(wfp::FilterBuilder::WeightClass::Max)
-		.permit();
-
-	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
-	conditionBuilder.add_condition(ConditionProtocol::Icmp());
-
-	for (const auto &host : m_hostsIpv4)
-	{
-		conditionBuilder.add_condition(ConditionIp::Remote(host));
-	}
-
-	if (m_interfaceAlias.has_value())
-	{
-		conditionBuilder.add_condition(ConditionInterface::Alias(m_interfaceAlias.value()));
-	}
-
-	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
-}
-
-bool PermitPing::applyIcmpv6(IObjectInstaller &objectInstaller) const
-{
-	wfp::FilterBuilder filterBuilder;
-
-	//
-	// #1 Permit outbound ICMPv6 to %host% on %interface%.
-	//
-
-	filterBuilder
-		.key(MullvadGuids::Filter_Baseline_PermitPing_Outbound_Icmpv6())
-		.name(L"Permit outbound ICMP to specific host (ICMPv6)")
-		.description(L"This filter is part of a rule that permits ping")
-		.provider(MullvadGuids::Provider())
-		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6)
-		.sublayer(MullvadGuids::SublayerBaseline())
-		.weight(wfp::FilterBuilder::WeightClass::Max)
-		.permit();
-
-	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
-	conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
-
-	for (const auto &host : m_hostsIpv6)
-	{
-		conditionBuilder.add_condition(ConditionIp::Remote(host));
-	}
-
-	if (m_interfaceAlias.has_value())
-	{
-		conditionBuilder.add_condition(ConditionInterface::Alias(m_interfaceAlias.value()));
-	}
-
-	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
-}
-
-}
diff --git a/windows/winfw/src/winfw/rules/baseline/permitping.h b/windows/winfw/src/winfw/rules/baseline/permitping.h
deleted file mode 100644
index 438aafc3f9..0000000000
--- a/windows/winfw/src/winfw/rules/baseline/permitping.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#pragma once
-
-#include <winfw/rules/ifirewallrule.h>
-#include <libwfp/ipaddress.h>
-#include <string>
-#include <optional>
-#include <vector>
-
-namespace rules::baseline
-{
-
-class PermitPing : public IFirewallRule
-{
-public:
-
-	PermitPing(std::optional<std::wstring> interfaceAlias, const std::vector<wfp::IpAddress> &hosts);
-
-	bool apply(IObjectInstaller &objectInstaller) override;
-
-private:
-
-	const std::optional<std::wstring> m_interfaceAlias;
-	std::vector<wfp::IpAddress> m_hostsIpv4;
-	std::vector<wfp::IpAddress> m_hostsIpv6;
-
-	bool applyIcmpv4(IObjectInstaller &objectInstaller) const;
-	bool applyIcmpv6(IObjectInstaller &objectInstaller) const;
-};
-
-}
diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp
index 119edc4ca6..57610409c4 100644
--- a/windows/winfw/src/winfw/winfw.cpp
+++ b/windows/winfw/src/winfw/winfw.cpp
@@ -20,34 +20,6 @@ void *g_logSinkContext = nullptr;
 
 FwContext *g_fwContext = nullptr;
 
-std::optional<FwContext::PingableHosts> ConvertPingableHosts(const PingableHosts *pingableHosts)
-{
-	if (nullptr == pingableHosts)
-	{
-		return {};
-	}
-
-	if (nullptr == pingableHosts->hosts
-		|| 0 == pingableHosts->numHosts)
-	{
-		THROW_ERROR("Invalid PingableHosts structure");
-	}
-
-	FwContext::PingableHosts converted;
-
-	if (nullptr != pingableHosts->tunnelInterfaceAlias)
-	{
-		converted.tunnelInterfaceAlias = pingableHosts->tunnelInterfaceAlias;
-	}
-
-	for (size_t i = 0; i < pingableHosts->numHosts; ++i)
-	{
-		converted.hosts.emplace_back(wfp::IpAddress(pingableHosts->hosts[i]));
-	}
-
-	return converted;
-}
-
 WINFW_POLICY_STATUS
 HandlePolicyException(const common::error::WindowsException &err)
 {
@@ -261,7 +233,6 @@ WinFw_ApplyPolicyConnecting(
 	const WinFwEndpoint *relay,
 	const wchar_t *relayClient,
 	const wchar_t *tunnelInterfaceAlias,
-	const PingableHosts *pingableHosts,
 	const WinFwEndpoint *allowedEndpoint
 )
 {
@@ -292,7 +263,6 @@ WinFw_ApplyPolicyConnecting(
 			*relay,
 			relayClient,
 			tunnelInterfaceAlias != nullptr ? std::make_optional(tunnelInterfaceAlias) : std::nullopt,
-			ConvertPingableHosts(pingableHosts),
 			MakeOptional(allowedEndpoint)
 		) ? WINFW_POLICY_STATUS_SUCCESS : WINFW_POLICY_STATUS_GENERAL_FAILURE;
 	}
diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h
index 5065582e29..5a34b7784b 100644
--- a/windows/winfw/src/winfw/winfw.h
+++ b/windows/winfw/src/winfw/winfw.h
@@ -118,23 +118,6 @@ WinFw_Deinitialize(
 	WINFW_CLEANUP_POLICY cleanupPolicy
 );
 
-//
-// PingableHosts:
-//
-// Specifies a set of IP addresses that should be reachable by ICMP when the connecting
-// policy is effective.
-//
-// The interface alias is optional and can be used to restrict the traffic such
-// that it is only allowed on that specific interface.
-//
-typedef struct tag_PingableHosts
-{
-	const wchar_t *tunnelInterfaceAlias;
-	const wchar_t **hosts;
-	size_t numHosts;
-}
-PingableHosts;
-
 enum WINFW_POLICY_STATUS
 {
 	WINFW_POLICY_STATUS_SUCCESS = 0,
@@ -148,7 +131,7 @@ enum WINFW_POLICY_STATUS
 // Apply restrictions in the firewall that block all traffic, except:
 // - What is specified by settings
 // - Communication with the relay server
-// - ICMP (for ping) to/from tunnel gateway
+// - Non-DNS traffic inside the VPN tunnel
 //
 extern "C"
 WINFW_LINKAGE
@@ -159,7 +142,6 @@ WinFw_ApplyPolicyConnecting(
 	const WinFwEndpoint *relay,
 	const wchar_t *relayClient,
 	const wchar_t *tunnelInterfaceAlias,
-	const PingableHosts *pingableHosts,
 	const WinFwEndpoint *allowedEndpoint
 );
 
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index 3f9502a10d..72c5eea98a 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -32,7 +32,6 @@
     <ClCompile Include="rules\baseline\permitlanservice.cpp" />
     <ClCompile Include="rules\baseline\permitloopback.cpp" />
     <ClCompile Include="rules\baseline\permitndp.cpp" />
-    <ClCompile Include="rules\baseline\permitping.cpp" />
     <ClCompile Include="rules\baseline\permitvpntunnel.cpp" />
     <ClCompile Include="rules\baseline\permitvpntunnelservice.cpp" />
     <ClCompile Include="rules\dns\blockall.cpp" />
@@ -67,7 +66,6 @@
     <ClInclude Include="rules\baseline\permitlanservice.h" />
     <ClInclude Include="rules\baseline\permitloopback.h" />
     <ClInclude Include="rules\baseline\permitndp.h" />
-    <ClInclude Include="rules\baseline\permitping.h" />
     <ClInclude Include="rules\baseline\permitvpntunnel.h" />
     <ClInclude Include="rules\baseline\permitvpntunnelservice.h" />
     <ClInclude Include="rules\dns\blockall.h" />
author	David Lönnhager <david.l@mullvad.net>	2021-05-18 13:42:38 +0200
committer	David Lönnhager <david.l@mullvad.net>	2021-06-07 11:17:16 +0200
commit	ef117bb95bac58838c1d063afcc83d53f7577fa6 (patch)
tree	0536717236c4a0d8e07a3eafde4139a3c4e51db8 /windows
parent	7c6b8b514e428f29dcf27483597e39e48402516f (diff)
download	mullvadvpn-ef117bb95bac58838c1d063afcc83d53f7577fa6.tar.xz mullvadvpn-ef117bb95bac58838c1d063afcc83d53f7577fa6.zip